Lighttpd

TracNav(DocsToc) {{{
#!rst ===========
Secure HTTP ===========

------------
Module: core
------------

.. meta::
:keywords: lighttpd, ssl

.. contents:: Table of Contents

Description ===========

lighttpd supports SSLv2 and SSLv3 if it is compiled against openssl.

How to install SSL
------------------

To use SSL you must have ssl compiled into lighty. You must first have openssl-devel installed and openssl installed as well. On Fedora or Centos you may use yum to install this by running this command: ::

yum install openssl*

And type yes when it asks for a confirmation of what you would like to install.

Once installed please download the [tarball http://www.lighttpd.net/download] and extract it with ::

tar zxvf lighttpd-1.4.11

Enter into the extracted folder and compile with these configuration flags: ::

--with-openssl --with-openssl-libs=/usr/lib

Remember to change --with-openssl-libs= to the folder where your openssl libraries are installed into.

Once compiled, run make and make install. If lighty has successfully compiled SSL the command ::

lighttpd -v

Should display (Keep in mind that this new lighty version now has ''(ssl)'' after lightys name) ::

lighttpd-1.4.11 (ssl) - a light and fast webserver
  Build-Date: Sep  1 2006 19:09:15

Remember if you used the RPM packages to install lighty, the init.d scripts will point to the wrong binary of lighty than the one you just compiled. The location of where you compiled lighty should be displayed near the end of make install. Once the location of the binary is found please edit the /etc/init.d/lighttpd script and change what is defined in the lighttpd="/usr/sbin/lighttpd" to your new lighty location.

Configuration
-------------

To enable SSL for the whole server you have to provide a valid
certificate and have to enable the SSL engine. If you want to use
chained certificates you must also include the CA file, without it browsers will pop
up an “unknown certificate authority” or some such error. ::

ssl.engine = "enable" 
  ssl.pemfile = "/path/to/server.pem" 
  ssl.ca-file = "/path/to/CA.crt"

Please note that enabling SSL for the whole server as shown above, seem to replace (disable) the non-SSL operations, and if without ssl.ca-file configured, MS IE will accept this certificate but firefox will not.

The HTTPS protocol does not allow you to use name-based virtual
hosting with SSL. If you want to run multiple SSL servers with
one lighttpd instance you must use IP-based virtual hosting: ::

$SERVER["socket"] == "10.0.0.1:443" {
    ssl.engine                  = "enable" 
    ssl.pemfile                 = "www.example.org.pem" 
    ssl.ca-file                 = "/etc/CA.crt" 

server.name                 = "www.example.org"

server.document-root        = "/www/servers/www.example.org/pages/" 
  }

If you have a .crt and a .key file, cat them together into a
single PEM file:
::

$ cat host.key host.crt > host.pem

Self-Signed Certificates
------------------------

A self-signed SSL certificate can be generated like this: ::

$ openssl req -new -x509 \
    -keyout server.pem -out server.pem \
    -days 365 -nodes

PCI DSS compliance ==================

Matthew Glubb wrote:

I should clarify the reason for this work. From September 19th, all major online vendors taking card payments will be required to comply with the Payment Card Industry (PCI) Data Security Standard. Smaller vendors may self-certify but they will be more liable if fraud is committed.

Part of this standard is the disabling of SSLv2 and the removal of support for ciphers that have a key length of less than 128 bits. For this reason, I believe that the default SSL configuration for lighttpd should reflect this standard.

Since 1.4.12 you can use: ::

ssl.use-sslv2 = "disable" 
  ssl.cipher-list = "..."

to disable SSLv2 and set a cipher-list.

cipher-list accepts a string containing the ciphers you would like to accept separated by whitespace. A list of strings will not work.

Matthew also provide a list of possible ciphers:

Hope it can be of use. Next time I'll submit a proper svn patch but I was in a hurry! Which might explain my somewhat short list of supported ciphers. I've since done some research and this list of supported ciphers is much more comprehensive. It supports all ciphers >= 128 bit key lengths for SSL v3.0, TLS v1.0, and AES cipher suites from RFC3268, extending TLS v1.0 (these seem to be the ones used by recent browsers, not included in the original list): ::

RC4-SHA
    RC4-MD5
    ADH-RC4-MD5
    EDH-RSA-DES-CBC3-SHA
    EDH-DSS-DES-CBC3-SHA
    DES-CBC3-SHA
    ADH-DES-CBC3-SHA
    DES-CBC3-MD5
    AES128-SHA
    AES256-SHA
    DH-DSS-AES128-SHA
    DH-DSS-AES256-SHA
    DH-RSA-AES128-SHA
    DH-RSA-AES256-SHA
    DHE-DSS-AES128-SHA
    DHE-DSS-AES256-SHA
    DHE-RSA-AES128-SHA
    DHE-RSA-AES256-SHA

PCI DSS compliance ==================
How to enable that the server requests a SSL client certificate?

See Also ========
}}}

• [wiki:HowToSimpleSSL]
• [http://www.varlogarthas.net/blog/2007/03/installing_a_godaddy_ssl_certi.html Setting up Lighttpd with a SSL certificate]
• [http://jackbaty.com/2005/12/27/lighttpd-and-ssl/ Lighttpd and SSL (not documented ssl.ca-file)]
• [wiki:HowToRedirectHttpToHttps Redirect HTTP requests to HTTPS]
• [http://trac.lighttpd.net/trac/ticket/19 ssl.ca-file ticket resolution]